Mozilla Foundation Security Advisory 2010-56

Dangling pointer vulnerability in nsTreeContentView

Announced

September 7, 2010

Reporter

regenrecht

Impact

Critical

Products

Firefox, SeaMonkey, Thunderbird

Fixed in

Firefox 3.5.12

Firefox 3.6.9

SeaMonkey 2.0.7

Thunderbird 3.0.7

Thunderbird 3.1.3

Description

Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative that the implementation of XUL
<tree>'s content view contains a dangling pointer vulnerability.
One of the content view's methods for accessing the internal structure
of the tree could be manipulated into removing a node prior to
accessing it, resulting in the accessing of deleted memory. If an
attacker can control the contents of the deleted memory prior to its
access they could use this vulnerability to run arbitrary code on a
victim's machine.